T1102.002 CrowdStrike LogScale · LogScale

Detect Bidirectional Communication in CrowdStrike LogScale

Adversaries may use an existing, legitimate external web service as a means for sending commands to and receiving output from a compromised system. Compromised systems may leverage popular websites and cloud storage platforms (Google Drive, OneDrive, Dropbox, GitHub, Pastebin, Twitter, Google Calendar) to host C2 instructions and receive command output. This technique is particularly evasive because traffic blends with legitimate business use of these services, which are commonly accessed prior to compromise and protected with SSL/TLS encryption.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1102 Web Service
Sub-technique
T1102.002 Bidirectional Communication
Canonical reference
https://attack.mitre.org/techniques/T1102/002/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName=DnsRequest
| DomainName = /(?i)(dropbox\.com|onedrive\.live\.com|drive\.google\.com|sharepoint\.com|box\.com|pcloud\.com|graph\.microsoft\.com|pastebin\.com|paste\.ee|ghostbin\.com|hastebin\.com|gist\.github\.com|api\.github\.com|raw\.githubusercontent\.com|api\.twitter\.com|twitter\.com|t\.co|blogspot\.com|discord\.com|discordapp\.com|api\.telegram\.org|slack\.com|api\.slack\.com|notion\.so|trello\.com|wordpress\.com|mediafire\.com|yandex\.com|sites\.google\.com|technet\.microsoft\.com)/
| rename(field=ContextProcessId_decimal, as=CorrelationPID)
| join(
    { #event_simpleName=ProcessRollup2
      | ImageFileName = /(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|python[0-9]*\.exe|pythonw\.exe|curl\.exe|wget\.exe|bitsadmin\.exe)$/
      | rename(field=TargetProcessId_decimal, as=CorrelationPID)
    },
    field=[CorrelationPID, aid],
    include=[ImageFileName, CommandLine, ParentBaseFileName, UserName]
  )
| ServiceCategory := case {
    DomainName = /(?i)(dropbox\.com|onedrive\.live\.com|drive\.google\.com|sharepoint\.com|box\.com|pcloud\.com|graph\.microsoft\.com)/ => "CloudStorage";
    DomainName = /(?i)(pastebin\.com|paste\.ee|ghostbin\.com|hastebin\.com|gist\.github\.com)/ => "PasteSite";
    DomainName = /(?i)(api\.github\.com|raw\.githubusercontent\.com)/ => "DevPlatform";
    DomainName = /(?i)(twitter\.com|api\.twitter\.com|t\.co|blogspot\.com|discord\.com|discordapp\.com)/ => "SocialMedia";
    DomainName = /(?i)(api\.telegram\.org|slack\.com|api\.slack\.com)/ => "Messaging";
    * => "OtherWebService"
  }
| HasEncodedPayload := if(CommandLine = /(?i)(-enc|-EncodedCommand|DownloadString|Invoke-Expression|IEX|Net\.WebClient|Invoke-WebRequest|Start-BitsTransfer|FromBase64String|base64)/, "true", "false")
| groupBy(
    [ComputerName, UserName, ImageFileName, DomainName, ServiceCategory, HasEncodedPayload],
    function=[
      count(as=ConnectionCount),
      min(@timestamp, as=FirstSeen),
      max(@timestamp, as=LastSeen),
      collect(CommandLine, limit=5)
    ]
  )
| sort(ConnectionCount, order=desc)
high severity high confidence

CrowdStrike Falcon LogScale query that joins DnsRequest events resolving known web service C2 domains with ProcessRollup2 events for suspicious executables on the same sensor (aid) and process ID. Categorizes the target service type, flags encoded command-line indicators, and aggregates connection counts per host, user, process, and destination domain for analyst triage. Covers the full set of cloud storage, paste sites, social media, developer platforms, and messaging APIs used in T1102.002 campaigns.

Data Sources

CrowdStrike Falcon sensor DnsRequest events (EventSimpleName=DnsRequest)CrowdStrike Falcon sensor process execution events (EventSimpleName=ProcessRollup2)

Required Tables

DnsRequestProcessRollup2

False Positives & Tuning

  • IT operations staff running authorized PowerShell scripts for SharePoint Online or OneDrive provisioning tasks on managed endpoints within approved change windows
  • Software developers on developer workstations using curl.exe or Python to access GitHub APIs for version control, package management, or CI/CD pipeline operations
  • Monitoring and observability agents that spawn cmd.exe processes to deliver alerts or metrics to Slack, Discord, or Telegram webhook endpoints as part of sanctioned operational tooling
  • Windows Update and patch management processes that invoke bitsadmin.exe for background downloads and also connect to Microsoft graph.microsoft.com or technet.microsoft.com endpoints
Download portable Sigma rule (.yml)

Other platforms for T1102.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Dropbox API C2 Simulation via PowerShell

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing '-WindowStyle Hidden', 'api.dropboxapi.com', 'Invoke-RestMethod', 'Authorization'. Sysmon Event ID 3: Network Connection to api.dropboxapi.com (162.125.x.x) on port 443. Sysmon Event ID 22: DNS Query for api.dropboxapi.com and content.dropboxapi.com.

  2. Test 2Pastebin Read/Write C2 Simulation

    Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing 'pastebin.com', 'Net.WebClient', 'DownloadString', 'UploadString', '-ExecutionPolicy Bypass'. Sysmon Event ID 3: Two Network Connections to pastebin.com on port 443. Sysmon Event ID 22: DNS Query for pastebin.com.

  3. Test 3OneDrive Network Drive C2 Simulation (PowerStallion Technique)

    Expected signal: Security Event ID 4688 or Sysmon Event ID 1: Process Create for cmd.exe with 'net use' and 'd.docs.live.net'. Child process powershell.exe with 'Get-Content', 'Out-File'. Sysmon Event ID 3: Network Connection to d.docs.live.net (OneDrive WebDAV endpoint) on port 443. Sysmon Event ID 22: DNS Query for d.docs.live.net.

  4. Test 4Google Drive C2 Read via Python (RIFLESPINE Technique)

    Expected signal: Sysmon Event ID 1: Process Create with Image=python.exe, CommandLine containing 'googleapis.com', 'drive/v3/files', 'urllib'. Sysmon Event ID 3: Network Connections to www.googleapis.com on port 443. Sysmon Event ID 22: DNS Query for www.googleapis.com.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1102.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1102Web Service

Related Sub-techniques

T1102.001Dead Drop ResolverT1102.003One-Way Communication

Related Techniques

T1102Web ServiceT1102.001Dead Drop ResolverT1102.003One-Way CommunicationT1567Exfiltration Over Web ServiceT1567.002Exfiltration to Cloud StorageT1105Ingress Tool TransferT1071.001Web ProtocolsT1573Encrypted ChannelT1027Obfuscated Files or InformationT1053.005Scheduled TaskT1078Valid Accounts

Same Tactic: Command and Control

Popular Detections